How to Keep your Company safe from Phishing Attacks

Don’t Get Hooked by Phishing.

Pandemic hasn’t only brought the disease with itself but has also brought security risks for all the organizations. Because of COVID-19, companies are working from home, and attackers are enjoying the benefits.

According to Symantec, there was an increase in phishing attacks in 2020, of which one part of 4200 e-mails belongs to phishing e-mails. At the beginning of the phishing attack, 65% of attackers use spear-phishing to spread the malicious links.

According to CSO Online, 94% of malicious links are delivered via e-mails as well as this attack costs $17,700 every minute.

Throughout this post, we will discuss phishing attacks’ essential attributes and include some efficient ways to defend and mitigate organizations’ potential threats.

Phishing Attack

Phishing attacks have the ability to skirt technology and target human emotion, making it imperative that organizations empower their employees to be part of the solution.”

-Aaron Higbee.

Phishing is the same as fishing. Imagine throwing fodder in water to catch the fish, in the same manner, hackers throw fodder in the big ocean of the internet in the form of URLs, messages, or e-mails to catch (attack) the user’s sensitive data such as Gmail password, Facebook Id and password or bank credentials, etc.

Phishing will continue to grow as new technologies evolve, and users are partly responsible for maintaining their information confidentiality. Several corporates are also seeking to mitigate phishing attacks, including Facebook, Gmail, Norton, and IBM, etc.

Phishing Attack

Source: Cloudflare.com

Types of the Phishing attack

There are several ways a phishing attack can occur, including,

  • Clone phishing
  • Whaling
  • SMS phishing
  • Spear phishing

Despite having multiple ways, few specific types that is use within organizations are,

Spear Phishing

“I can go into LinkedIn and search for network engineers and come up with a list of great spear-phishing targets because they usually have administrator rights over the network. Then I go onto Twitter or Facebook and trick them into doing something, and I have privileged access. “

—  Kevin Mitnick

In spear-phishing, attackers particularly target specific corporations or users. In comparison to mass phishing, spear-phishing attackers collect data about a user or organization and use that information about their victims to maximize their likelihood of attack effectiveness.

Whaling is a part of spear-phishing where the targets are specifically senior management or executives of the organization. E-mails containing product information or financial reports processed with executives may be a spoof.

Clone Phishing targets are mostly auditing firms. The attacker uses previously genuinely delivered e-mails to clone and resend them by stating it’s an updated version of the original mail.

What approaches can use to attack the organizations?

  • Some methods of phishing use a manipulated links that seem to relate to the spoofed corporations. Such as fake subdomain URLs or misspelled links.

What approaches can use to attack the organizations?

  • Filter evasion is carried out using images or files instead of links in spoofed e-mails, making the attack more secure and harder to detect. In the given example, the sender is asking to download the malicious file to continue the services.

What approaches can use to attack the organizations 2

 

  • The JavaScript commands use to alter the URL address of the website where the victim is redirected.
  • Redirecting the victim to the legitimate website (which is already hack) and stealing the personal credentials is covert redirection. In the image, the view invoice button is redirecting towards the malicious link.

What approaches can use to attack the organizations 3

  • Tab nabbing is also an approach where attackers take benefit of several open tabs. When a user has multiple tabs open and clicks on a malicious link, this will open the spoofed tab in the browser without the victim’s knowledge.

gif

  • Social engineering is one of the most common approaches to attacking. The attacker plays with the victim’s mind and makes them click on links, resulting in hacking.

Mitigation techniques

Low-level mitigation techniques

“Companies spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain.”

– Kevin Mitnick.

Weak links in the organization?

“Your employees remain your organization’s weakest security link.”

-Dashlane

Training

  • Employees should receive monthly training in safeguarding organizational assets.
  • Employees and senior managers or executives should be involved in training as they also play an essential role in piracy.

Verify Links

  • The URLs must be verified before clicking. Like Virus Total, many websites are available for such tasks to paste and ensure the link is safe enough to click.
  • Misspelled links or unsolicited attachments must revise as companies never request sensitive information on e-mail.
  • Domains or senders must verify whether the e-mail originates from a legitimate organization or not. Such as, example.youtobe.com has a fake domain name.

Verify Links

 

High-level mitigation techniques

  • Trusted antivirus software like Avira, Bitdefender, or Avast must be implemented on the systems and updated weekly.
  • A centralized mail system must be deployed for additional protection, such as Microsoft Defender for office 365. The defender verifies the link before redirecting the user to the given URL. If the link is malicious then, it blocks access to that website.

High-level mitigation techniques

  • Organizations should use two-factor authentication (2FA) or multi-factor authentication (MFA) to mitigate the risk at some point. A phishing attack can let hackers collect personal credentials but won’t allow them to hack fingerprints or security question’s answers. Multi-factor Authentication (MFA) is essential and might be the most potent solution for phishing e-mail threats.

High-level mitigation techniques

  • Safe browsing services must be implemented within the organization’s computer system. Safe Browsing is a Google feature that enables user apps to search URLs across Google’s frequently monitored list of risky web services. It notifies users before they click on links within the site that can lead to malicious pages.

High-level mitigation techniques 3

High-level mitigation techniques 4

  • IT department should deploy concise and clear policy systems such as Identity and Access Management (IAM) across the organizational systems. IAM system works on four A’s.
    • Audit
    • Authorization
    • Authentication
    • Assessment

IAM provides access on a need-to-know basis. It shall authorize and approve by the IT department.

The organizations can keep their internal system and employees safe from phishing attacks by strictly implementing the security policies and using all the techniques mentioned above.

At the end of the day, the goals are simple: safety and security.

-Jodi Rell.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

The Ultimate Blockchain & Bitcoin Guide

Let us start with a scenario. Whenever there is an election, we always hear the rumor that there is rigging in the election. In...

5 Top Cybersecurity Career Paths & Certifications

We are living in a world of innovations. Now, imagine innovative technologies with zero security is such a big nightmare. Cybersecurity comes here for...

How to Become a Certified Ethical Hacker (CEH)?

Data security becomes more important in running a successful business since persistent threats, hacks, and data breaches happening to an organization’s data. Every organization...

How to Tell if an Online Casino is Safe

Before the UK government established the Gambling Commission in 2005, online gambling was generally unregulated. Sure, Curacao and Malta had regulatory agencies at the...

LOOKING FOR HACKING RECIPES FORM THE PRO?

Then sign up for FREE to the ehacking’s exclusive group. You will get the exclusive tips/tricks, tutorials, webinars & courses that I ONLY share with my fellow on this exclusive newsletter.